Nginx Reverse Proxy for Nextcloud: A Guide

Nextcloud is a powerful self-hosted cloud storage solution, but exposing it directly to the internet can be risky. Enter the reverse proxy – a crucial component for enhancing security, performance, and flexibility. In this comprehensive guide, we’ll dive deep into setting up a Nextcloud reverse proxy using Nginx, exploring each configuration option to help you create a robust and efficient setup.

Prerequisites:

• A server running Nginx
• Nextcloud installed and running on an internal network
• Basic knowledge of server administration and Nginx configuration

Before we dive into this, I assume you already have a working nginx server and you already set it up with SSL as I don’t include the whole server block.

Let’s dive into the nitty-gritty of our Nextcloud reverse proxy configuration.

Understanding the Core Proxy Settings

location / {
    proxy_pass http://internal_nextcloud_ip:port;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
}

This block forms the foundation of our reverse proxy setup. Let’s break it down:

1. proxy_pass: This directive tells Nginx where to forward the incoming requests. Replace internal_nextcloud_ip:port with your Nextcloud server’s internal IP and port.
2. proxy_set_header Host $host: Ensures that the original Host header is passed to the Nextcloud server, maintaining proper routing.
3. proxy_set_header X-Real-IP $remote_addr: Passes the client’s real IP address to Nextcloud, useful for logging and security purposes.
4. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for: Appends the client’s IP to the X-Forwarded-For header, maintaining a chain of IP addresses if multiple proxies are involved.
5. proxy_set_header X-Forwarded-Proto $scheme: Informs Nextcloud about the original protocol (HTTP or HTTPS) used by the client.

Enabling WebSocket Support

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

These directives enable WebSocket support, which is crucial for real-time features in Nextcloud, such as instant notifications and live collaboration.

Handling Large File Uploads

proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
proxy_connect_timeout 3600s;
client_max_body_size 10G;

These settings are essential for handling large file uploads:

1. The proxy_*_timeout directives set a generous timeout of 1 hour (3600 seconds) for various proxy operations, preventing timeouts during large file transfers.
2. client_max_body_size 10G allows uploads up to 10 gigabytes. Adjust this value based on your needs and server capabilities.

Enhancing Security with HTTP Headers

Note: this is optional if you are using panels like DirectAdmin, Plesk, etc. as they already apply some of these.

add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;

These add_header directives improve security by setting various HTTP headers:

1. X-Content-Type-Options: Prevents MIME type sniffing.
2. X-XSS-Protection: Enables the browser’s built-in XSS protection.
3. X-Robots-Tag: Prevents search engine indexing.
4. X-Download-Options: Prevents IE from executing downloads in the site’s context.
5. X-Permitted-Cross-Domain-Policies: Restricts Adobe Flash and PDF content.
6. Referrer-Policy: Controls the Referer header sent by the browser.

Implementing HSTS (HTTP Strict Transport Security)

# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

This commented-out directive enables HSTS, forcing browsers to use HTTPS for an extended period (1 year in this case). Uncomment and adjust as needed if you’re using HTTPS.

Optimizing Proxy Behavior

proxy_buffering off;
proxy_request_buffering off;
proxy_redirect off;
proxy_cache off;

These settings optimize the proxy’s behavior:

1. proxy_buffering off: Disables response buffering, sending the response to the client as soon as it’s received from Nextcloud.
2. proxy_request_buffering off: Disables request buffering, allowing Nginx to start forwarding the request body to Nextcloud immediately.
3. proxy_redirect off: Prevents Nginx from modifying the Location and Refresh headers from Nextcloud.
4. proxy_cache off: Disables caching of responses from Nextcloud.

Securing Sensitive Directories (Optional)

location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) {
    deny all;
}

This block denies access to sensitive Nextcloud directories, preventing potential security risks.

Putting It All Together

Here’s the complete Nginx configuration block for your Nextcloud reverse proxy:

location / {
    proxy_pass http://internal_nextcloud_ip:port;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    # WebSocket support
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    # Timeout settings for large file uploads
    proxy_read_timeout 3600s;
    proxy_send_timeout 3600s;
    proxy_connect_timeout 3600s;

    # Increase max upload size (adjust as needed)
    client_max_body_size 10G;

    # Security headers
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header Referrer-Policy no-referrer;

    # HSTS (optional - uncomment if you're using HTTPS)
    # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # Optimizations
    proxy_buffering off;
    proxy_request_buffering off;
    proxy_redirect off;
    proxy_cache off;
}

# Deny access to sensitive files
#location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) {
#    deny all;
#}

This configuration provides a solid foundation for your Nextcloud reverse proxy setup. Remember to replace internal_nextcloud_ip:port with your actual Nextcloud server’s internal IP and port.

Best Practices and Additional Considerations

1. SSL/TLS Encryption: Always use HTTPS for your Nextcloud instance. Configure SSL/TLS on your reverse proxy to encrypt traffic between clients and your server.
2. Regular Updates: Keep both Nginx and Nextcloud up to date to ensure you have the latest security patches and features.
3. Monitoring: Implement monitoring for your reverse proxy to detect and respond to any unusual activities or performance issues.
4. Backup: Regularly backup your Nginx configuration along with your Nextcloud data.
5. Rate Limiting: Consider implementing rate limiting to protect against brute-force attacks and excessive requests.
6. Firewall Configuration: Ensure your firewall is properly configured to allow traffic only on necessary ports.
7. Testing: Always test your configuration in a non-production environment before deploying to production.

Conclusion

Setting up a Nextcloud reverse proxy with Nginx provides enhanced security, improved performance, and greater flexibility in managing your self-hosted cloud storage solution. By following this somewhat comprehensive guide and understanding each configuration option, you can create a robust and efficient setup tailored to your specific needs.

Remember, server security is an ongoing process. Regularly review and update your configuration to maintain a secure and performant Nextcloud instance.

FAQ

Q: Why use a reverse proxy for Nextcloud?
A: A reverse proxy enhances security, improves performance through caching and load balancing, and provides flexibility in server configuration.

Q: Can I use Apache instead of Nginx as a reverse proxy?
A: Yes, Apache can also be used as a reverse proxy. However, Nginx is often preferred for its efficiency in handling concurrent connections.

Q: How do I troubleshoot if my Nextcloud instance isn’t accessible through the reverse proxy?
A: Check your Nginx error logs, ensure the proxy_pass directive points to the correct internal IP and port, and verify that Nextcloud is running and accessible internally. It’ll also depend on where the error is so check both the reverse proxy logs and the local webserver for nextcloud logs. Check the nexcloud logs as well just to be sure.

Q: Is this configuration suitable for a production environment?
A: While this configuration provides a solid foundation, always test thoroughly and consider consulting with a security professional before deploying in a production environment.

Q: How can I implement SSL/TLS with this reverse proxy setup?
A: You can use Let’s Encrypt with Certbot to obtain and configure free SSL/TLS certificates for your Nginx server.